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Use case: 


Two of the biggest Banks 
Disconnected/Inaccessible systems to be a part of 
overall Vulnerability, Risk and Compliance program 


Sensitive Systems/Regulated 


Devices 
| egacy Systems 


Highly locked down systems 


Network Appliances 
Air-gapped Networks 


> Fortigate FortiOS 
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Use case: 


Visibility Matters to the... 


search engine tech company and Healthcare network 


Impacts to security Incomplete Asset Inventory 


program include: 
Exposure to Unknown 
Vulnerabilities & 
Misconfigurations 


À Ineffective Risk Evaluation 


Compliance in silos 
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Current Options 


Ad-hoc scripts 


Procedural controls 
(manual assessment) 


Outside audits 


Limited software-based 
solutions 


Introducing 


Out-of-Band Configuration Assessment 
OCA, add-on to VM/PC 


Flexible Data Collection via | $22 aunen 
API/UI pem 

160 _ 
Support for Inventory, EM cu 


1 T v 74.217.73.201 û FireEye СМ: Quick Actions w COMPUTERNAME.1 N-name.here Apr 11, 2018 
olicy Compliance an асул m 
FireEye Applicance та [Add commands | 
13 


g-frame-standard (123) 


* M кен аы 17 74.217.73.201 wt Cisco IOS 1 View Details COMPUTERNAME.1 Network.Name Apr 11, 2018 
b 10 host1 .examı om 
ulnerability Assessmen e {| ere : 
Acme Packet Net Platform 
74.217.73.201 зх WebSphere Delete COMPUTERNAME.1 Another-Network Apr 11, 2018 
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SEVERITY 
P Е 2 192.168.255.255 «& FireEye CMS 8.x COMPUTERNAME.1 Network Apr 11, 2018 
Severity 1 
Severity 4 55 host1.exam 
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Configuration Upload Workflow 


> ASSET PROVISIONING 


Push the Asset data 


POST Y http://{{base_url}}/oca/v1.0/asset 
GET w | http://swarmm01.p17.eng.sjc01 .qualys.com:53670/oca/v1 .0/asset/03df1879: 
7ab2daa34045/commands/PolicyCompliance 
. . i> { 
n | r | N 2 "code": 200, 
- "data": ( 
47 "items": [ 
5 "version", 
6 "tsclockserver", 
7 "configshow -all", 
8 "syslogdipshow" 
9 ] 
1e } 
11 } 


Qualys creates agent-based a 


| t | t POST X http://{{base_url}}/oca/v1.0/asset/03df1879-458c-495d-873d-7ab2daa34045/command/output/{{type}} 
| ° (3) Body @ 
none ® form-data x-www-form-urlencoded raw binary 
KEY VALUE DESCRIPTION 

configshow -all Choose Files | No file chosen 
Report Generation пату ere 

tsclockserver. Active NTP Server 10.170.158.12. 

version Kernel: 2.6.14.2 . 
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Out-of-Band Configuration Assessment 


Qualys OCA Benefits 


Cover Your Blind 
Spots Quickly 
For urgently required technologies, as an 


interim method till scanner or agent support 
is available 


A Complete Vulnerability 
^" & Compliance Visibility 


Assess isolated, and locked-down systems 
for misconfiguration and vulnerabilities 


Flexible Data Collection 


Fully automate data collection out-of-band via API 
or upload manually via the UI. 


Expanded Platform 
Coverage 


Extends Qualys coverage to legacy and 


uncommon platforms, including network devices, 
applications, appliances, mainframes, and more. 
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Technology Support 


VO.9 and v1.O release 
November - 2018 


FireEye Appliances 

BiglP F5 

Brocade DCX Switch 

Acme Packet Net 

Imperva Firewall 

Cisco Wireless Lan Controller 7 
Cisco UCS Server 

NetApp OnTap 

Juniper IVE 


Future Priorities 


AS/400 

Cisco Meraki 

Sonic Firewall 

Fortinet Firewalls 
Aruba WLC 

Dell EMC Data Domain 
Oracle Tape Library 
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Availability & Roadmap 


November 2018 January 2019 
v.O.9 release for limited customers Extend Support to VM 
API-based Asset and Config Data Support OCA for ASAOO 
e @ e e 
December 2018 1H 2019 
Possible SDK route 

Ul-based Data Upload for PC Expand Platform Coverage 
Bulk asset data upload (CSV) CMDB Integration 


Integration with AssetView FIM Integration 
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ace the Assessment of Procedural 
ols & Vendor Risk 


nce Solutions, Qualys, Inc. 


Agenda 


How SAQ compliments Qualys technical security Apps - 


Internal Procedural controls Assessment 
Vendor Control & Risk Assessment 


Content support 
Demo 
Roadmap 


Preview of Future use case: Customer risk management as a 
vendor 
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One of the biggest Financial Institute 


Assesses their Internal Procedural 
and Process controls 


Need to comply with number of 
International and regional mandates/ 
standards. 


They understand >50% compliance 
requirements are related to 
assessing processes and procedures 


Important that Respondents find 
it easy and make the collected 
data actionable 


w 


Took 2 hours to rebuild Excel 
based 76 question assessment 
using web-based UI and Out- 
of-box Rich content 


Dashboards the process 
deficiencies and risk posed by 
Internal controls failure 


Consolidates the Internal 
procedural control posture 
with Technical compliance 
controls 
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New-age Vendor Assessment 
Challenges 


Extend the Perimeter to include vendors 
- security & vulnerability data collection 


ATTACK о" IMPACT АЕ IMPACT BREACH ORIGIN 
7 | © er A RA. 
Vendor Profiling based on the services, T "No 
Vendor Assessment based on criticality = J 
Google WA 
Vendor control data aggregation with Se ", 
T - -Mobile | + Experian (3' Party server 


Internal security and compliance data 


Automated workflow, operational 
dashboards 
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One of the biggest pharma company 


Assessing their vendor risk through 


SAQ 


© 


Vendors Profiling — Defines 
Criticality based on Service 


areas/Cybersecurity domains 


Uses out-of-the-box 
content, including regional 
mandates 


Easy online workflow for the 
vendors, receives reminders, 
alerts and status 


B 


Assesses vendors per their 
risk profile, in a 
standardized (SIG) manner 


Dashboards the risk posed 
by the highly critical 
vendors and ranks them 
per risk 


Consolidates the vendor 
control posture with Internal 
procedural & technical 
compliance controls 
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Rich Template Library 


PC 


Industry 


DSS SAQ A, 
T for SOX 


G 


BA 


SEL. I 


B, C, D 


Popular Standards 


SO 27001-2013 ISMS 
IST CSF 

COBIT 5 

FedRAMP 

COSO 

TIL 

CIS TOP 20 Controls 


Shared Assessment 
(SIG) *- vendor 
assessment 


Regional 


GDPR 

Abu Dhabi Info Sec 
Standards 

ANSSI (France) 

AS IBTRM (Singapore) 
BSP (Philippines) 

BSI Germany 

SM (Australia) 

UK Data Protection 
RBI Guidelines (India) 
California Privacy** 


Canada Data Protection 
2018** 


Technical Services 


CSA CAIQ v3.0.1 

CSA CCM v3.0.1 

Vendor Security for 
Hosting Service Provider 
AWS ** 

Procedural controls for 
cloud, containers** 
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Security Assessment Questionnaire 


SAQ Roadmap 


Q3 2018 


User/Role/Privilege Management 
Question Bank 
Create template from 
library templates 
New campaign UI 
Risk scoring 


Q4 2018 


SAQ Lite - for PCI users 


Q1 2019 


Vendor-driven workflows to cater to customers 
- Create answer bank, 
- Upload custorner required templates 
- Match on Keywords 
Metrics, Dashboards on risk posed to my customers 


Vendor Risk Management workflows 


- Vendor Onboarding, Profiling 


- Autornated assessment based on Vendor 


profiles/onboarding 


- Compare vendors based on risk scores 
- Dashboards on total Vendor risk/ 


Trending/Top 5 risky vendors 


* Roadmap items are future looking; timing and 
specifications may change 
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In the world where everyone is a vendor of someone 
SAQ Feature coming up in Q1: Answer bank 

Technology company wants to understand Risk posed to the 
customers 


© 


Receives 100s of questionnaires 
from their customers and 
answers them offline, through 


Want to understand What risk 
they pose to their critical 


E 


customers 
spread-sheets 
| | lees Want to understand the top 
Costly & resource-intensive > failing, passing cybersecurity 
@) to respond and gains no ‘ areas/ answers to improve 
м visibility into risk intelligence their own internal controls 


Wants to drive the vendor-management project 
to showcase their good security practices and use 
the data for contract negotiation 
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Security Assessment Questionnaire 
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